The Court of Justice of the European Union invalidated the EU-US Privacy Shield in a profound decision on July 16. They also reminded both companies and the Data Protection Authorities of their respective responsibilities to assess the ability for transfers made under the commonly used Standard Contractual Clauses (SCCs) to be done so consistent with the GDPR. The invalidation of Privacy Shield due to aspects of the US Government’s surveillance programs raises new questions as to whether the use of SCCs and other transfer mechanisms when conveying personal data to the US may also not be valid. At a minimum, the Court reminded everyone of the obligations that accompany using SCCs and the process of doing so just became much more burdensome and uncertain.
Read our Data Privacy and Cybersecurity Team’s assessment of this decision and recommended steps for those transferring personal data here.